{
	"id": "08bd0ebd-685b-4804-adc7-2b5be0e22768",
	"created_at": "2026-04-06T00:09:01.352683Z",
	"updated_at": "2026-04-10T03:35:47.087841Z",
	"deleted_at": null,
	"sha1_hash": "5dcae616df5c1c95c2d4d5b23ad148a44bf93475",
	"title": "Naikon, Lotus Panda - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75463,
	"plain_text": "Naikon, Lotus Panda - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 16:45:44 UTC\r\nHome \u003e List all groups \u003e Naikon, Lotus Panda\r\n APT group: Naikon, Lotus Panda\r\nNames\r\nNaikon (Kaspersky)\r\nHellsing (Kaspersky)\r\nLotus Panda (CrowdStrike)\r\nITG06 (IBM)\r\nG0019 (MITRE)\r\nCountry China\r\nSponsor State-sponsored, PLA Unit 78020\r\nMotivation Information theft and espionage\r\nFirst seen 2010\r\nDescription\r\nNaikon is a threat group that has focused on targets around the South China Sea. The\r\ngroup has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu\r\nMilitary Region Second Technical Reconnaissance Bureau (Military Unit Cover\r\nDesignator 78020). While Naikon shares some characteristics with APT 30,\r\nOverride Panda, the two groups do not appear to be exact matches.\r\nObserved\r\nSectors: Defense, Energy, Government, Law enforcement, Media.\r\nCountries: Australia, Brunei, Cambodia, China, India, Indonesia, Laos, Malaysia,\r\nMyanmar, Nepal, Philippines, Saudi Arabia, Singapore, South Korea, Thailand,\r\nUSA, Vietnam.\r\nTools used\r\n8.t Dropper, Aria-body, Aria-body loader, ARL, BackBend, Backspace, Creamsicle,\r\nFlashflood, FoundCore, Gemcutter, HDoor, JadeRAT, LadonGo, Milkmaid, Naikon,\r\nnbtscan, Nebulae, NetEagle, NewCore RAT, Orangeade, PlugX, Quarks PwDump,\r\nRARSTONE, Sandboxie, Shipshape, Sisfader, Spaceship, SslMM, Sys10,\r\nTeamViewer, Viper, WinMM, xsPlus, Living off the Land.\r\nOperations performed 2012 Naikon downloader/backdoor\r\n2013 “MsnMM” Campaigns\r\n\u003chttps://media.kasperskycontenthub.com/wp-https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c62ba18b-436f-4db5-b25d-053daea89259\r\nPage 1 of 3\n\ncontent/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf\u003e\nFeb 2013\nBKDR_RARSTONE RAT\nLast year, we reported about PlugX a breed of Remote Access Trojan\n(RAT) used in certain high-profile APT campaigns. We also noted\nsome of its noteworthy techniques, which include its capability to hide\nits malicious codes by decrypting and loading a backdoor “executable\nfile” directly into memory, without the need to drop the actual\n“executable file”.\nRecently, we uncovered a RAT using the same technique. The new\nsample detected by Trend Micro as BKDR_RARSTONE.A is similar\n(but not) PlugX, as it directly loads a backdoor “file” in memory\nwithout dropping any “file”. However, as we proceeded with our\nanalysis, we found that BKDR_RARSTONE has some tricks of its\nown.\nMar 2014\nCampaign in the wake of the MH370 tragedy\nBy March 11th, the Naikon group was actively hitting most of the\nnations involved in the search for MH370. The targets were extremely\nwide-ranging but included institutions with access to information\nrelated to the disappearance of MH370.\nSep 2015\nOperation “CameraShy”\n2017\nRecently Check Point Research discovered new evidence of an\nongoing cyber espionage operation against several national\ngovernment entities in the Asia Pacific (APAC) region. This operation,\nwhich we were able to attribute to the Naikon APT group, used a new\nbackdoor named Aria-body, in order to take control of the victims’\nnetworks.\nApr 2022\nThe Lotus Panda is Awake, Again. Analysis of its Last Strike.\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c62ba18b-436f-4db5-b25d-053daea89259\nPage 2 of 3\n\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c62ba18b-436f-4db5-b25d-053daea89259\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c62ba18b-436f-4db5-b25d-053daea89259\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c62ba18b-436f-4db5-b25d-053daea89259"
	],
	"report_names": [
		"showcard.cgi?u=c62ba18b-436f-4db5-b25d-053daea89259"
	],
	"threat_actors": [
		{
			"id": "360f51f5-8a80-41d6-92c4-9aa042cd2732",
			"created_at": "2022-10-25T16:07:23.34569Z",
			"updated_at": "2026-04-10T02:00:04.55147Z",
			"deleted_at": null,
			"main_name": "APT 30",
			"aliases": [
				"APT 30",
				"Bronze Geneva",
				"Bronze Sterling",
				"CTG-5326",
				"G0013",
				"Override Panda",
				"RADIUM",
				"Raspberry Typhoon"
			],
			"source_name": "ETDA:APT 30",
			"tools": [
				"BackBend",
				"Creamsicle",
				"Flashflood",
				"Gemcutter",
				"Lecna",
				"NetEagle",
				"Neteagle_Scout",
				"Orangeade",
				"ScoutEagle",
				"Shipshape",
				"ZRLnk",
				"norton"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "78090a48-ca66-4cd8-a454-04d947e9c887",
			"created_at": "2023-01-06T13:46:38.303662Z",
			"updated_at": "2026-04-10T02:00:02.919567Z",
			"deleted_at": null,
			"main_name": "Hellsing",
			"aliases": [],
			"source_name": "MISPGALAXY:Hellsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b69484be-98d1-49e6-aed1-a28dbf65176a",
			"created_at": "2022-10-25T16:07:23.886782Z",
			"updated_at": "2026-04-10T02:00:04.779029Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"G0019",
				"Hellsing",
				"ITG06",
				"Lotus Panda",
				"Naikon",
				"Operation CameraShy"
			],
			"source_name": "ETDA:Naikon",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"AR",
				"ARL",
				"Agent.dhwf",
				"Aria-body",
				"Aria-body loader",
				"Asset Reconnaissance Lighthouse",
				"BackBend",
				"Creamsicle",
				"Custom HDoor",
				"Destroy RAT",
				"DestroyRAT",
				"Flashflood",
				"FoundCore",
				"Gemcutter",
				"HDoor",
				"JadeRAT",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"LadonGo",
				"Lecna",
				"Living off the Land",
				"NBTscan",
				"Naikon",
				"NetEagle",
				"Neteagle_Scout",
				"NewCore RAT",
				"Orangeade",
				"PlugX",
				"Quarks PwDump",
				"RARSTONE",
				"RainyDay",
				"RedDelta",
				"RoyalRoad",
				"Sacto",
				"Sandboxie",
				"ScoutEagle",
				"Shipshape",
				"Sisfader",
				"Sisfader RAT",
				"Sogu",
				"SslMM",
				"Sys10",
				"TIGERPLUG",
				"TVT",
				"TeamViewer",
				"Thoper",
				"WinMM",
				"Xamtrav",
				"XsFunction",
				"ZRLnk",
				"nbtscan",
				"nokian",
				"norton",
				"xsControl",
				"xsPlus"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32",
			"created_at": "2023-04-20T02:01:50.979595Z",
			"updated_at": "2026-04-10T02:00:02.913011Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"BRONZE STERLING",
				"G0013",
				"PLA Unit 78020",
				"OVERRIDE PANDA",
				"Camerashy",
				"BRONZE GENEVA",
				"G0019",
				"Naikon"
			],
			"source_name": "MISPGALAXY:Naikon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c21da9ce-944f-4a37-8ce3-71a0f738af80",
			"created_at": "2025-08-07T02:03:24.586257Z",
			"updated_at": "2026-04-10T02:00:03.804264Z",
			"deleted_at": null,
			"main_name": "BRONZE ELGIN",
			"aliases": [
				"CTG-8171 ",
				"Lotus Blossom ",
				"Lotus Panda ",
				"Lstudio",
				"Spring Dragon "
			],
			"source_name": "Secureworks:BRONZE ELGIN",
			"tools": [
				"Chrysalis",
				"Cobalt Strike",
				"Elise",
				"Emissary Trojan",
				"Lzari",
				"Meterpreter"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf",
			"created_at": "2022-10-25T15:50:23.31611Z",
			"updated_at": "2026-04-10T02:00:05.370146Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"Naikon"
			],
			"source_name": "MITRE:Naikon",
			"tools": [
				"ftp",
				"netsh",
				"WinMM",
				"Systeminfo",
				"RainyDay",
				"RARSTONE",
				"HDoor",
				"Sys10",
				"SslMM",
				"PsExec",
				"Tasklist",
				"Aria-body"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "87a20b72-ab72-402f-9013-c746c8458b0b",
			"created_at": "2023-01-06T13:46:38.293223Z",
			"updated_at": "2026-04-10T02:00:02.915184Z",
			"deleted_at": null,
			"main_name": "LOTUS PANDA",
			"aliases": [
				"Red Salamander",
				"Lotus BLossom",
				"Billbug",
				"Spring Dragon",
				"ST Group",
				"BRONZE ELGIN",
				"ATK1",
				"G0030",
				"Lotus Blossom",
				"DRAGONFISH"
			],
			"source_name": "MISPGALAXY:LOTUS PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62",
			"created_at": "2025-08-07T02:03:24.604463Z",
			"updated_at": "2026-04-10T02:00:03.798481Z",
			"deleted_at": null,
			"main_name": "BRONZE GENEVA",
			"aliases": [
				"APT30 ",
				"BRONZE STERLING ",
				"CTG-5326 ",
				"Naikon ",
				"Override Panda ",
				"RADIUM ",
				"Raspberry Typhoon"
			],
			"source_name": "Secureworks:BRONZE GENEVA",
			"tools": [
				"Lecna Downloader",
				"Nebulae",
				"ShadowPad"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434141,
	"ts_updated_at": 1775792147,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5dcae616df5c1c95c2d4d5b23ad148a44bf93475.pdf",
		"text": "https://archive.orkl.eu/5dcae616df5c1c95c2d4d5b23ad148a44bf93475.txt",
		"img": "https://archive.orkl.eu/5dcae616df5c1c95c2d4d5b23ad148a44bf93475.jpg"
	}
}